From f677814de0c04b45ed38dfe4ae8ab7416a5980b7 Mon Sep 17 00:00:00 2001
From: Jason Karns <jason.karns@gmail.com>
Date: Fri, 7 Jun 2024 23:36:42 -0400
Subject: [PATCH] Harden sync and tag workflows (#46)

---
 .github/workflows/sync-default-branch.yml | 2 ++
 .github/workflows/tag-major.yml           | 2 ++
 .github/workflows/test.yml                | 6 ++++++
 3 files changed, 10 insertions(+)

diff --git a/.github/workflows/sync-default-branch.yml b/.github/workflows/sync-default-branch.yml
index 23eab4c..3d6d686 100644
--- a/.github/workflows/sync-default-branch.yml
+++ b/.github/workflows/sync-default-branch.yml
@@ -8,5 +8,7 @@ jobs:
     permissions: {contents: write}
     runs-on: ubuntu-latest
     steps:
+      - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        with: {egress-policy: audit}
       - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       - run: git push --force origin HEAD:refs/heads/master
diff --git a/.github/workflows/tag-major.yml b/.github/workflows/tag-major.yml
index a4535f1..d43cb58 100644
--- a/.github/workflows/tag-major.yml
+++ b/.github/workflows/tag-major.yml
@@ -11,5 +11,7 @@ jobs:
     permissions: {contents: write}
     runs-on: ubuntu-latest
     steps:
+      - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        with: {egress-policy: audit}
       - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       - run: git push -f origin "HEAD:refs/heads/${GITHUB_REF_NAME%%.*}"
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 7adddce..0d86eba 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -20,6 +20,8 @@ jobs:
     runs-on: ${{ matrix.os }}-latest
     strategy: {matrix: {os: [ubuntu, macOS]}}
     steps:
+    - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+      with: {egress-policy: audit}
     - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
     - run: npm cit
 
@@ -28,6 +30,8 @@ jobs:
     permissions: {contents: read, packages: read, statuses: write}
     runs-on: ubuntu-latest
     steps:
+    - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+      with: {egress-policy: audit}
     - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       with: {fetch-depth: 0}
     - uses: super-linter/super-linter/slim@5b638caee6ba65e25e07143887b669a1233847a0 # v6.5.1
@@ -49,6 +53,8 @@ jobs:
     permissions: {id-token: write, security-events: write}
     runs-on: ubuntu-latest
     steps:
+    - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+      with: {egress-policy: audit}
     - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
     - uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
       with: